Understanding and managing our risk environment to support the Group’s objectives
Ravi Rajagopal
Chair, Audit and Risk Committee
Identifying and managing risk
We’ve designed our risk management framework to give us a consistent means of identifying, mitigating and monitoring risk across all 14 operating companies (OpCos) and Group entities. It provides our senior management and Board with oversight of our principal risks and promotes a bottom-up approach to identifying and managing risks across the Group. The directors have carried out a robust assessment of the company’s principal and emerging risks to comply with Provision 29 of the UK Corporate Governance Code 2024, see Governance report.
Risk management governance
Our Board has overall responsibility for the Group’s risk management framework and processes. Through the Audit and Risk Committee, the Board oversees the Group’s risk management framework and regularly reviews its principal risks as well as emerging risks that may impact the Group. Within that overarching framework, the governance of risk management has been cascaded to various levels across the organisation to allow effective management of the Group’s risks. The framework covers the interplay between risks impacting Airtel Africa as a whole and risks identified at either the OpCo level (geography-related) or the functional level (business function-related).
Our Group Executive Risk Committee (ERC) evaluates and prioritises the principal risks with the potential to undermine our strategy, business model and solvency, in line with our overall risk appetite. The committee also reviews, on an ongoing basis, the external business environment to identify emerging risks which could potentially have an impact on the Group’s business in the future. Group functional teams identify functional risks cutting across our OpCos to create a consistent Group-wide risk mitigation strategy for similar risks.
We operate a similar risk management governance structure across the Group and our OpCos. Each OpCo has an executive risk management committee (ERC) with the respective OpCo Boards maintaining overall responsibility for risk management within their OpCo. Each OpCo identifies risks within their business environment and implements appropriate mitigation actions. The OpCo ERC and the OpCo Boards oversee the governance of this process and the effectiveness of mitigation actions.
1
Our work has included assessing risk management, improving controls and tracking compliance against regulations applying to mobile money businesses in all our markets and arising from central bank licences. Strengthening the IT systems and increasing resilience of application software has been a core part of our work this year.
2
Risk governance
Board – Audit and Risk Committee
The Board has overall responsibility for the Group’s risk management processes. Through the Audit and Risk Committee (ARC), the Board oversees the Group risk management framework, approves the Group’s risk appetite and regularly reviews our principal and emerging risks.
The Board maintains oversight of the effectiveness of the Group’s risk management processes through regular reviews of the Group’s principal and emerging risks, thematic risk reviews and review of key risk indicators (KRIs) against tolerance limits set. This year, the ARC carried out several in-depth thematic risk reviews – see more in the ARC chair’s report.
Group Executive Risk Committee
The Group Executive Risk Committee (ERC) is responsible for the implementation of the risk management framework across the Group. The ERC reviews our significant risks, the progress and effectiveness of mitigation actions and performance of KRIs to ensure that the Group operates within its defined risk appetite.
The ERC meets quarterly and carries out robust reviews of the Group’s principal risks which span its operating markets and functions. It also reviews and discusses emerging risk trends which potentially impact the Group’s business.
Functional risk management reviews
The Group executive functional heads are responsible for identifying and mitigating risks across the Group within their functional areas. They are responsible for embedding risk management within operational business processes. The Group’s risk register is created from risks identified either by the Group functional heads or the OpCo ERCs.
The Group functional heads carry out ongoing risk reviews as part of their operational functional processes. These risk reviews address risks within their functions across the Group’s operating footprint.
OpCo Executive Risk Committee and OpCo Board
Each OpCo ERC performs a similar role to the Group ERC. They’re responsible for implementing the risk management framework in our subsidiaries.
ERCs identify risks within the local environment and mitigation actions to manage those risks. Each OpCo Board has overall responsibility for the risk management process within that OpCo.
The OpCo ERCs meet on a quarterly basis while the OpCo Boards review the OpCo principal and emerging risks on at least a semi-annual basis.
Risk identification process
Continuous feedback and improvement
1. Identify risks
Identify potential events that could affect the achievement of objectives
Functional risk owners
(Group & OpCos)
- Identify and document risks at functional level and at the Operating company (OpCo) level
- Update and ensure risk information is complete and accurate
Executive Risk Committee
(Group & OpCos)
- Facilitate enterprise-wide risk identification
- Challenge and validate key risks and emerging risks
Board – Audit & Risk Committee
(Group & OpCos)
- Oversee that key risks facing the Group are identified
- Provide direction on risk areas of focus
2. Assess risks
Assess risks based on likelihood of occurrence and potential impact
Functional risk owners
(Group & OpCos)
- Assess risks for likelihood and potential impact
- Keep risk rating under review including rationale
Executive Risk Committee
(Group & OpCos)
- Review and challenge risk assessments and prioritisation
- Consolidate and determine top enterprise risks
Board – Audit & Risk Committee
(Group & OpCos)
- Review and be satisfied on the appropriateness of risk assessments and prioritisation
3. Respond to risks
Select and implement appropriate risk response strategy
Functional risk owners
(Group & OpCos)
- Identify and implement risk response plans and controls
- Own risk treatment and accountability for results
Executive Risk Committee
(Group & OpCos)
- Evaluate and review risk response strategies within the Group’s risk tolerance
- Oversee implementation of risk response and allocate resources
Board – Audit & Risk Committee
(Group & OpCos)
- Approve risk appetite and risk response for principal and emerging risks
- Oversee management’s actions to address key risks
4. Monitor & review
Monitor risk & review implementation of risk response strategy
Functional risk owners
(Group & OpCos)
- Monitor risks and controls on an ongoing basis
- Escalate issues and report changes in risk context and risk rating
- Report progress of risk response strategy to the ERC and escalate as required
Executive Risk Committee
(Group & OpCos)
- Monitor key and emerging risks and effectiveness of risk response
- Communicate key risk information to the Board
Board – Audit & Risk Committee
(Group & OpCos)
- Monitor risk exposures and effectiveness of risk management
- Review and approve Principal and emerging risks, key risk indicators (KRIs) & tolerance limit
- Strategic & thematic risk reviews
- Provide oversight, guidance and hold management accountable
Risk management is embedded in strategy and decision-making at every level of the organisation
Our risk appetite framework
The Group’s risk appetite framework and statement formalise the Group’s risk appetite, tolerance limits and governance oversight processes to ensure that risks across the Group are managed within acceptable limits. We adopt a four-point scale for risk appetite, described below.
Open
We strongly accept these risks as they are incidental to the achievement of our business objectives. These risks provide good risk/reward trade-off and internal competencies exist to manage or exploit these risks effectively.
Flexible
We are open to accepting these risks on a justifiable basis. We will consider available options and select the option that provides good returns with an acceptable level of risk in the pursuit of our objectives.
Cautious
We will accept these risks only if essential, with limited potential for a negative outcome. We prefer to avoid these risks and where these risks are accepted, the risks are carefully measured and monitored.
Averse
We are strongly opposed to these risks and prefer to avoid them. We are not open to any risk/return trade-off and will always accept the lowest risk option for these risks.
Risk appetite monitoring
To ensure adherence to the Group’s risk appetite framework and that risks are managed within acceptable limits, the Board, through the ARC, has approved a set of key risk indicators (KRIs) and tolerance limits across key organisational functions and processes. Performance against these KRIs and their respective tolerance limits is tracked, reported and reviewed by the ERC and the ARC on a quarterly basis. Where tolerance limits are breached for any KRI, an appropriate risk mitigation plan is developed, and its implementation is monitored as part of the risk review process. The Group’s risk review and governance processes, along with the ongoing monitoring of KRIs and their corresponding tolerance limits, enable the Board to assess whether risks across the Group are being managed within the established risk appetite.
How we classify our risks
Strategic risks
These are risks arising from changes in our external business environment such as macroeconomic conditions or market/competitive dynamics.
Adverse competition and market disruption
Digitisation and innovation
Geopolitical risks and adverse macroeconomic conditions
Our philosophy/approach
We operate in 14 countries across Africa with significant market opportunities arising from low penetration of telecommunications and banking services.
The Group is bullish on the opportunities that Africa presents and is generally open to taking increased levels of risks to capture these market opportunities.
Operational risks
Risks affecting our ability to effectively operate our business model across a variety of functional areas.
Cyber and information security threats
Supply chain disruptions
Leadership succession planning
Financial services platform resilience
Technology resilience and business continuity
Our philosophy/approach
Delivering on the Group’s strategic objectives requires an effective operating model, execution excellence and operational rigour, with a focus on customer satisfaction across the organisation. This operational excellence will ensure that the Group can continue to deliver incremental revenue growth at minimal marginal costs, resulting in a positive flow-through to profitability.
Financial risks
Risks impacting our liquidity or solvency, financial reporting, or capital structure.
Exchange rate fluctuations and shortage of foreign currency
Philosophy/approach
The Group is committed to prudent financial management built on a robust system of controls and effective business partnering. The Group is flexible in its risk-taking approach to financial management to support strategic growth objectives but averse to any form of violation of its system of key financial and internal controls.
Governance and compliance risks
Risks affecting our ability to comply with our legal, regulatory and governance obligations.
Uncertainty in policy and regulatory environment
Our philosophy/approach
We are committed to complying with laws and regulations in the jurisdictions where we operate and averse to violations of legal or regulatory obligations.
Risk heat map (residual risks) for the reporting period 2025/26
* Risk heat map post-mitigation efforts
Strategic risks
Adverse competition and market disruption
Digitisation and innovation
Geopolitical risks and adverse macroeconomic conditions
Operational risks
Cyber and information security threats
Supply chain disruptions
Leadership succession planning
Financial services platform resilience
Technology resilience and business continuity
Financial risk
Exchange rate fluctuations and shortage of foreign currency
Governance and compliance risk
Uncertainty in policy and regulatory environment
Changes in principal and emerging risks during the financial year
Increase in cost structure
Changes
This risk has been removed as a principal risk, with residual elements of this risk incorporated in the newly identified principal risk – supply chain disruptions. Over the years, the Group has embedded a cost optimisation culture and strategy within its business planning and operational monitoring processes. The outcome of this is reflected in the Group’s operating profitability and business performance.
Internal controls and compliance
Changes
This risk has been removed as a principal risk. This change reflects sustained improvement and continuous enhancements to the Group’s internal control environment, assurance processes and governance oversight controls.
Supply chain disruptions
Changes
This is a new principal risk for the Group. The risk reflects the changing dynamics within the global supply chain which have the potential to impact the Group directly or indirectly.
Financial services platform resilience
Changes
This is a new principal risk for the Group. The resilience of our mobile financial services platform is an important factor in driving the continued growth and penetration of our Airtel Money business.
Artificial intelligence (AI)
Changes
Artificial intelligence (AI) has been identified as an emerging risk for the Group. While the rapid evolution of AI technologies presents significant opportunities, it also has the potential to introduce new risks, if not supported by the necessary oversight and governance framework.